Hello community, here is the log from the commit of package libvpx for openSUSE:Factory checked in at 2017-09-07 22:07:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libvpx (Old) and /work/SRC/openSUSE:Factory/.libvpx.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvpx" Thu Sep 7 22:07:43 2017 rev:33 rq:519848 version:1.6.1 Changes: -------- --- /work/SRC/openSUSE:Factory/libvpx/libvpx.changes 2017-03-10 21:02:39.637528311 +0100 +++ /work/SRC/openSUSE:Factory/.libvpx.new/libvpx.changes 2017-09-07 22:07:57.903365807 +0200 @@ -1,0 +2,6 @@ +Thu Aug 31 06:26:03 UTC 2017 - adr...@suse.de + +- limit maximum size to 8K Fulldome resolution to avoid + DoS attacks. CVE-2017-0641 boo#1056539 + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvpx.spec ++++++ --- /var/tmp/diff_new_pack.TCAIOX/_old 2017-09-07 22:07:58.523278424 +0200 +++ /var/tmp/diff_new_pack.TCAIOX/_new 2017-09-07 22:07:58.527277860 +0200 @@ -131,6 +131,13 @@ --extra-cflags="-std=gnu89 -U_FORTIFY_SOURCE %{optflags}" \ --extra-cxxflags="-U_FORTIFY_SOURCE %{optflags}" \ --enable-pic +# size-limit to avoid CVE-2017-0641 DoS attacks. The limit is the +# 8K Fulldome resolution and should be enough for all current use cases +# bso#1056539 +# the --size-limit switch is broken atm ... +echo '#define DECODE_WIDTH_LIMIT 8192' >> vpx_config.h +echo '#define DECODE_HEIGHT_LIMIT 8192' >> vpx_config.h + make %{?_smp_mflags} verbose=yes GEN_EXAMPLES= %install